Kubernetes API Codebase Tour

Slide 1

Slide 1 text

API Codebase Tour Stefan Schimanski / @the_sttts / Red Hat Hacking the kube-apiserver

Slide 2

Slide 2 text

Defining API types

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

v1alpha1 types: staging/src/k8s.io/api/auditregistration/v1alpha1 • types.go – actual Golang types (with JSON and Proto tags) • register.go – registration code: AddToScheme internal types: pkg/apis/auditregistration • types.go – internal (hub) Golang types (without JSON/Proto) • register.go – registration code: AddToScheme Installer: pkg/apis/auditregistration/install: func Install(scheme *runtime.Scheme) Golang types

Slide 5

Slide 5 text

Scheme: register Golang types & Golang funcs w/ GroupVersionKind k8s.io/apimachinery/pkg/runtime.Scheme GroupVersionKinds conversions defaulters reflect.Type Scheme Codec

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Conversions: pkg/apis/auditregistration/v1alpha1 • conversion.go – custom conversions • zz_generated.conversion.go – generated conversions Defaults: zz_generated_defaults.go DeepCopy: zz_generated_deepcopy.go Generated Code not in k8s.io/api!

Slide 8

Slide 8 text

Serving the API

Slide 9

Slide 9 text

apiserver binary generic apiserver in k8s.io/apiserver 404 authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain mux data flow calls back to knows no API groups yet Scheme empty /version /apis /openapi/v2 /swagger.json /healthz /metrics

Slide 10

Slide 10 text

Slide 11

Slide 11 text

func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { handler := genericapifilters.WithAuthorization(apiHandler, ...) handler = genericfilters.WithMaxInFlightLimit(handler, ...) handler = genericapifilters.WithImpersonation(handler, ...) handler = genericapifilters.WithAudit(handler, ...) failedHandler := genericapifilters.Unauthorized(...) failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, ...) handler = genericapifilters.WithAuthentication(handler, ..., failedHandler, ...) handler = genericfilters.WithCORS(handler, ...) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, ...) handler = genericfilters.WithWaitGroup(handler, ...) handler = genericapifilters.WithRequestInfo(handler, ...) handler = genericfilters.WithPanicRecovery(handler) return handler } k8s.io/apiserver/pkg/server/config.go

Slide 12

Slide 12 text

kube-apiserver generic apiserver 404 authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain mux data flow calls back to knows no API groups yet Scheme /version /apis /openapi/v2 /swagger.json /healthz /metrics core/v1 Pod core/v1 Pod core/v1 Pod

Slide 13

Slide 13 text

kube-apiserver apiserver 404 resource handler request conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain mux data flow calls back to Scheme core/v1 Pod core/v1 Pod core/v1 Pod via InstallAPIGroup(info)

Slide 14

Slide 14 text

kube-apiserver apiserver resource handler resource handler 404 resource handler request conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to mux no storage logic yet

Slide 15

Slide 15 text

kube-apiserver apiserver resource handler resource handler 404 etcd resource handler request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

kube-apiserver CRDs aggregator kube- aggregator & CRDs apiserver resource handler resource handler 404 etcd aggregated apiservers resource handler request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to

Slide 19

Slide 19 text

kube-apiserver kube- aggregator apiserver resource handler resource handler 404 etcd aggregated apiservers resource handler request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to pkg/registry pkg/apis + k8s.io/api k8s.io/apiserver/pkg/endpoints/handlers k8s.io/apiserver/pkg/admission k8s.io/apiserver/plugin/pkg/admission plugins/pkg/admission k8s.io/apiserver/pkg/endpoints/filters k8s.io/kube-aggregator k8s.io/apiextensions-apiserver k8s.io/apiserver/pkg/storage/etcd3 k8s.io/apiserver/pkg/registry/generic

Slide 20

Slide 20 text

API Group “core” API Group “core” API Group “auditregistration.k8s.io” PodStorage PodStorage AuditSinkStorage Generic Registry AuditSink Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... staging/src/k8s.io/apiserver/pkg/registry/generic/registry pkg/apis/auditregistration/validation “The registry” of a resource

Slide 21

Slide 21 text

Plumbing into kube-apiserver pkg/master/import_known_versions.go import ( _ "k8s.io/kubernetes/pkg/apis/auditregistration/install" ) pkg/master/master.go import ( auditregistrationrest "k8s.io/kubernetes/pkg/registry/auditregistration/rest" ) restStorageProviders := []RESTStorageProvider{ auditregistrationrest.RESTStorageProvider{}, autoscalingrest.RESTStorageProvider{}, … } apiserver.InstallAPIs(…, restStorageProviders…) legacyscheme.Scheme installs handlers into the mux func init()

Slide 22

Slide 22 text

Build system plumbing • hack/.golint_failures ignore lint errors due to generated code • hack/lib/init.sh add to KUBE_AVAILABLE_GROUP_VERSIONS, used by many hack/ scripts • hack/update-generated-protobuf-dockerized.sh generate Protobuf code, independent from KUBE_AVAILABLE_GROUP_VERSIONS for some reason

Slide 23

Slide 23 text

$ make WHAT=cmd/hyperkube $ RUNTIME_CONFIG=auditregistration.k8s.io/v1alpha1=true \ hack/local-up-cluster.sh $ kubectl get --raw /apis | grep auditregistration.k8s.io

Slide 24

Slide 24 text

Live Debugging

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Live Debugging * perfectly written down in xmudrii’s https://xmudrii.com/posts/debugging-kubernetes/ *